InTune allowing any user with license to enroll device in personally owned

Steel Contributor

Within InTune, you can only enroll a corporately owned work profile or corporately owned full managed from a reset and a QR Code token.  However, with a personally owned Android, it doesn't seem to follow the compliance and configuration profiles I have setup.


I have a user that is not assigned to any of the groups I have in any of the compliance and configuration profiles in InTune (I have one each per enrollment type) so one user can only enroll 1 type depending on what group they are in.


So not only did it let this user log into the company portal, it installed the work and personal spaces on the device, it installed all of the work apps and I can use all of the work apps like Outlook without issue.


The device shows a red exclamation mark in the company portal and it shows in InTune as non compliant but everything works fine.


These bunch of users are NOT a member of the conditional access policy I have setup to block all of these apps because we have some users that will NEVER enroll their devices in InTune because of their role (they own the company) so they do not want restrictions.

We will also have users that we will  not license with a P1 so can't assign them to that CA policy anyway.


Is there really no way to prevent anyone that has a Business Premium license from adding their phone into InTune?


2 Replies
What's even worse is that the device I enrolled does not have a PIN on it and the configuration policy requires it (but since it's not compliant it didn't apply those policies but still installed all of the apps to the device). So I have a fully working apps in work profile that's not compliant but can access all resources and can't manage it from InTune.

Hio @luvsql! It sounds like you have not configured any device platform restrictions. This is where you would configure policies that dictate which users can and cannot enroll personally owned devices.


Take a look at your policies under Devices > Enroll devices > Enrollment device platform restrictions. You'll find four tabs in the top, allowing you to create restrictions per device platform (Android, Windows, macOS, iOS). 



There will already be a restriction with "Default" priority, assigned to "All users" . This one is always active and will be applied unless a restriction with a higher priority overrules it. Kind of like a final "deny all" firewall rule, except that this one says "allow all".


You can create additional restrictions, with higher priorities for specific user groups. Inside such a restriction, you can also define if you want to allow enrollment of personally-owned devices.


In your specific case, you'll want to block this in the "Default" restriction and then allow it again, for specific users, in an additional restriction. Remember: this works per device platform, so make sure you create restrictions for all of them.


That should do the trick.